3

I'm doing some testing on my web app with Tamper Data. I've had success with Tamper Data in the past for normal HTTP post requests, but in this particular case I want to modify a post request that that has the content-type set to multipart/form-encoding.

Tamper Data shows this request as one big blog of messy escaped-ness and the text field is too small to view the entire thing or reasonably edit it. I also tried copying/pasting to a text editor, making changes, then copying/pasting back but I must not be doing something right because the web app isn't acting like it's received any form data.

Is there a setting I'm missing to have tamper data modify multipart requests like this in an easier manner? If not, any tips for doing it by hand? Thanks.

Mark E. Haase
  • 1,902
  • 2
  • 15
  • 24

2 Answers2

5

According to my experience it works fine (copy/paste and modify and CP again). However i have change only the name of the field to test a path manipulation. And it was a success. You might have issue with your webapp.

Rory Alsop
  • 61,367
  • 12
  • 115
  • 320
Omar Elfada
  • 249
  • 2
  • 5
  • Thanks. I was actually doing the same (just changing a field name) but I know it's not my web app because I was able to do it correctly with a stand-alone proxy (mitmproxy). – Mark E. Haase Dec 28 '11 at 22:15
4

Usually it is possible to modify the POST request by copy/pasting into a text editor. But not always, I find it will often cause problems when posting JSON. This process can also damage the content-type and content-size, although it usually fixes this for you (but it is unreliable).

In general I find standalone proxies to be easier to use and more powerful. You can also do stuff like modify the entire http request, including the URL, which is something you can't to with tamperdata. The OWASP Zed Attack Proxy or commercial tools like BURP and Charels are all great choices for any pen tester.

rook
  • 46,916
  • 10
  • 92
  • 181
  • Yes. Years later, I use MITM Proxy almost exclusively for this type of work. Tamper Data isn't worth the trouble any more. http://mitmproxy.org/ – Mark E. Haase Oct 23 '13 at 13:47